Nft fw4 how to mimic iptables -m recent module


I've purposely avoided NFT for a while as I've never been able to find an answer for this, but as the new version of openwrt is now all nft/fw4 based, I guess now is the time to step up asking for help on this one.

All my firewalls, for years now, have been protected using a scheme where I use iptables -m recent module to basically allow a sequence of pings to specific tcp (or udp) ports in a specific order within a specific time frame (60 seconds). Each subsequent ping in order puts the ip address in another list, and after 3 or 4 proper pings, it finally reaches the goodperson bucket, where there is a rule to allow any ip in that bucket access to ssh (or whatever ports I want to give them etc)..

In the 10+ years I've done this, I have NEVER had a single hacker get thru to the ssh port of any device I have protected in this way.

So, before I switch to nft/fw4 I need to know how to do the equivilant in that.. I was told that nft doesn't support something like this a while back, although I find that hard to believe.. I am sure I am not the only one that has thought of and implemented something like this..

Can anyone tell me how to convert, for example, the following to nft/fw4??

iptables -I INPUT 3 -m state --state NEW -m tcp -p tcp --dport xxxx -m recent --rcheck --name knocked --seconds 30 -j open-doornumber2

iptables -I INPUT 4 -m state --state NEW -m tcp -p tcp --dport yyyy -m recent --rcheck --name doornumber2 --seconds 30 -j open-goodperson

iptables -I INPUT 5 -m state --state NEW -m recent --rcheck --name goodperson --seconds 43200 -j ACCEPT

iptables -N open-doornumber2
iptables -A open-doornumber2 -m recent --name doornumber2 --set

iptables -N open-goodperson
iptables -A open-goodperson -m recent --name goodperson --set

Just a thought, configure wireguard, forget about all the rest. wireguard will not answer at all, unless the submitted key is correct, in that way it behaves like port-knocking, but is actually a secure VPN beyond that.

Thanks, but I prefer my solution, if for nothing else than it is less of a footprint for hackers.

With my solution, unless the stack or iptables itself has a bug (or I write the rules wrong) hackers don't even know the host is up let alone have a port to try and break into.

And I actually use openvpn for all my vpns.. and even their ports are behind the above scheme.

Do you know if this is even possible with nft? If not, do you know if I can rip out nft/fw4 from the latest openwrt and put back iptables?

There is a port knocking example here:

THANK YOU SOOO MUCH!!!!!! I've been looking for something like this for ages.. I knew it could be done!!!

Well, I cannot say nft made it any easier to do port knocking.. lol

Talk about expanding a few rules into alot of rules :slight_smile:
But at least it can do it!

1 Like

Have anyone actually actively tried focusing on you?

Online port scanners only scan the registered communications ports. No one scans the complete 2x 16bit port list on a random unknown target.

But if you are actually a valuable target, well just tap in to your internet traffic and look how you do it and your port knocking wall falls down like sand.

But the same “security effect” will appear if you don’t use a standard communication port since no one scan that.

This would continue to be the case using wireguard. Unless the traffic has the correct key the interface remains silent.


I have a few medium valuable targets, but they are databases that do backend work for a few websites that get ok traffic. So, no, I doubt I have any high value targets.

That being said, if you put a system up within hours you'll get scanned, and although I don't use any well known ports for ssh or the port knocking ports, even they get scanned on a weekly basis.. Typically my systems get about a dozen requests for the first entry port.. Very very rarely (Maybe 10 times in the 10 years) someone got to the second port.. No one has ever gotten to the third port.

Don't get me wrong, I don't believe I have the best solution, and certainly it may not hold up to targeted attacks.

But what it does do for me is allow me to keep myself in the loop. By this I mean I have the systems set so whenever any service (ssh usually, but a couple do have backend web servers that should only be accessed by me or my clients so it is behind the port knocks as well) I get a text message..

I know when the system is being accessed. And obviously if I were to try and set a text alert on every failed attempt to those services if they were openly exposed I'd be getting nonstop text messages.

This way it filters out all the bad actors before they even try and hack into the system. Period.

And I can stay in the loop..

It is the perfect solution for me at the moment. And better than any solution that leaves the ports open (even if those solutions are well tested and pretty secure as I want to know when a failed attempt happens personally -- you cannot reasonably do that without filtering out all the attempts before they even get to the service)

So, I don't plan on replacing my system any time soon.. It has been proven over years to work for me, and it is very easy to do. It requires no extra software, just remembering which ports and in which order. Any linux installation has the tools readily available to do that.

Wireguard is additional software -- meaning an additional footprint for security issues. Yes, unless they have the key they are not getting in -- assuming there is no bug in wireguard itself -- right now I only have to deal with bugs in the tcp/ip stack itself, and iptables.. Adding wireguard to the mix adds yet another layer of software I have to know is secure. And even if I do wireguard I'm still back at the issue of I cannot be warned when failed attempts are made, as they will happen all the time -- the nature of the internet these days..

And, actually, I wouldn't use wireguard, I've been an openvpn person for years as well. So that is my VPN solution --- not that it matters for this discussion.

My solution works for me and hasn't been broken thru in the 10+ years I've been using it on any of my or my clients systems. That is good enough for me not to want to change it.

You know the old saying, "If it ain't broke, don't fix it" :slight_smile:

I just tried it using the "IP sets" in FW4 (Luci web interface)..

It says " *Note: datatype set is unsupported in fw4."

Is that fw4 specific, and I can use underlying nft scripts that will work, or do you know if the nft in openwrt is missing this as well?

You should check out /etc/nftables.d/README which makes it much easier to do tricky things with nftables in openwrt. I'm pretty happy the developers had the idea to even do this, which is one of things I love about openwrt vs. just about any other routing/firewall platform out there.

You mean "All *.nft files in this directory are included by the firewall4 ruleset
within the inet/fw4 table context which allows referencing named sets
declared and populated by the firewall configuration.

Don't get me wrong, I'm here because I use openwrt and like it. I've never used nft before because on previous occasions to try and convert I didn't find any way to do port knocking that actually worked.

It looks like fw4 does not support the set option, but the underlying nft does.. I just created a script, and used nft -f to load it.. and viola, it worked..

It would be nice if fw4 in luci displayed it and was able to manipulate it etc like all the other parts of the firewall/nft stuff, but as long as it is there, I can work with that.

Thank you everyone for your comments, suggestions, and especially dave14305 for pointing me to the scripts!!!! I'm not sure why I never found those before, but I didn't :slight_smile:

Now I can finally start working on converting all my iptables stuff to nft -- although I like iptables better still -- maybe that will change as I get more familiar with nfttables.. But at the moment it looks far more complicated to do the same stuff..

1 Like

I am no fan of wireguard. But what do you call the ssl-server package?

We don’t talk about a car engine. Cyber security is an always moving target, nowadays on hour basis. What was secure 1hour ago may not be secure now.

The ssl-server package is not needed to do port knocking.. So, I'm not sure what you are getting at here unless you are talking about openvpn, in which case, as I said, even that is behind the port knock firewall unless the two machines each have dedicated IP addresses which then they are hardcoded into the iptables rules.

quite true. and hence the reason why I don't want to change, as it has lasted 10 years without a compromise.

O, and I have nothing per say against wireguard. I just know openvpn and have been using it for years to provide vpn's for my customers and me. I doubt wireguard is any more secure than openvpn as long as they are both configured properly. And yes openvpn certainly is a larger code base and hence would provide a larger audit task, but then again, it has been around alot longer than wireguard.

And isn't the ssl-server package needed for ssh anyway?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.